Kalman Filter-Based Integrity Monitoring Against Sensor Faults

Kalman Filter-Based Integrity Monitoring Against Sensor Faults Mathieu Joerger1 and Boris Pervan2 Illinois Institute of Technology, Chicago, Illinois, 60616

This paper introduces a new Kalman filter-based method for detecting sensor faults in linear dynamic systems. In contrast with existing sequential fault-detection algorithms, the proposed method enables direct evaluation of the integrity risk, which is the probability that an undetected fault causes state estimate errors to exceed predefined bounds of acceptability. The new method is also computationally efficient and straightforward to implement. The algorithm’s detection test statistic is established in three steps. First, the weighted norms of current and past-time Kalman filter residuals are defined as generalized non-centrally chisquare distributed random variables. Second, these residuals are proved to be stochastically independent from the state estimate error. Third, current-time and past-time residuals are shown to be mutually independent, so that the Kalman filter-based test statistic can be recursively updated in real time by simply adding the current-time residual contribution to a previously computed weighted norm of past-time residuals. The Kalman filter-based integrity monitor is evaluated against worst-case fault profiles, which are also derived in this paper. Finally, performance analyses results are presented for an example application of aircraft precision approach navigation, where differential ranging signals from a multiconstellation satellite navigation system are filtered for positioning and carrier phase cycle ambiguity estimation.

1

Senior Research Associate, Department of Mechanical, Materials and Aerospace Engineering, E-mail: [email protected], Member AIAA. 2 Professor, Department of Mechanical, Materials and Aerospace Engineering, E-mail: [email protected], Associate Fellow AIAA.

I.

Introduction

D

YNAMIC estimators designed to operate under nominal conditions are vulnerable to rarely-occurring faults

such as sensor failures. Detection algorithms can be implemented to mitigate the impact of sensor faults on estimator performance [1, 2], which is essential in safety-critical applications such as vehicle automation for ground and air transportation [3, 4]. Of primary concern in these types of applications is the system’s ability to evaluate the integrity risk, which is the probability of undetected faults causing the estimate error to exceed predefined limits of acceptability (also called alert limits [3, 4]). Most approaches currently implemented in real-time systems use simple measurement processing schemes, which facilitate integrity risk monitoring at the cost of decreased estimation performance. For example, existing satellite-based navigation systems designed for aviation applications are based on snapshot position estimation [4-6], which can limit the accuracy and fault-free integrity performance. In this paper, a new sequential fault-detection algorithm is derived, analyzed, and evaluated. This algorithm opens the possibility of optimal estimation using a Kalman filter under nominal conditions, while enabling accurate and efficient integrity risk evaluation in the presence of measurement faults. Despite multiple prior approaches (reviewed below), there is currently no widely used sequential fault-detection algorithm in safety-critical applications. One major shortcoming of published methods is their limited ability to accurately quantify integrity risk. In practice, integrity risk evaluation is needed when designing dynamic systems to achieve required levels of integrity, and it is needed operationally to predict if a mission can be safely initiated. Evaluating integrity risk includes both assessing the fault detection capability and quantifying the impact of undetected faults on state estimate errors. Model-based fault detection methods include integrity monitoring (IM) algorithms, which provide the means for rigorous integrity risk computation. Most existing implementations of IM are ‘snapshot’ detection schemes [4-6]. For instance, the receiver autonomous integrity monitoring (RAIM) method used in Global Navigation Satellite Systems (GNSS) exploits redundant observations at one time of interest [7-9]. Snapshot IM is a natural choice for punctual state estimation, but it is insufficient for sequential implementations that involve measurement filtering, for example using a Kalman filter. The Kalman filter (KF) is a recursive estimator that exploits information from both the measurements and the system’s dynamic model. The KF is widely implemented because it recursively generates optimal current-time state estimates, which maximizes current-time accuracy and fault-free integrity performance.

In safety-critical applications, the sequence of measurements used for estimation must be monitored against rare event faults. In contrast with nominal measurement errors, whose distributions can be reliably modeled using large amounts of experimental data, sensor faults are difficult to observe because of their low probability of occurrence. In order to avoid making assumptions on unknown fault distributions, a bound on the integrity risk corresponding the worst case fault can be evaluated. This bound is then compared to a specified integrity risk requirement to assess ‘availability,’ which is defined as the fraction of time where outputs of the estimation system can safely be used [4, 5]. It is therefore of primary importance for system availability to derive a tight bound on the integrity risk. Sequential detection approaches have been investigated over the past 60 years [1, 10, 11, 12]. The large majority of published algorithms have aimed at detecting abrupt changes in a random variable distribution [13-17]. The algorithms include multiple-hypotheses [18-21] and innovation-based methods [22-25], and have been employed in a variety of applications including financial and medical surveillance applications [26], industrial quality-control [1, 27], sonar noise cancellation [28], and target tracking [29]. However, most of these procedures quantify the faultdetection capability in terms of time-to-detect, without regard to the fault’s impact on state estimates, hence leaving integrity risk evaluation unaddressed. Additional references are cited in [29]: the extensive literature review of research efforts carried out over the past two decades demonstrates the lively and sustained interest for real-time sequential fault detection methods, especially in the context of tightly-coupled integration of the Global Positioning System (GPS) with Inertial Navigation Systems (INS). The most elaborate sequential fault-detection algorithms provide protection level equations, which are measures of the integrity risk in terms of position state-domain bounds. But these bounds are loose [30-34] and they require computationally expensive processes. For example, the solution-separation approach to sequential implementations uses banks of KF [35], whose number increases as the number of samples in the timesequence increases. In response, in this work, a new, computation and memory-efficient KF-based IM method is derived, which can be implemented in real-time while providing a tight bound on the integrity risk under the worst-case fault assumption. In Section II of this paper, a batch least-squares residual-based IM algorithm is described, which was introduced in [36] for a specific navigation application, and is generalized here to linear dynamic systems. The batch IM approach is similar to the well-established snapshot RAIM used in GPS applications [7-9], but it is applied to a

sequence of measurements and of system dynamics over a finite window in time. Least-squares batch implementations can be implemented sequentially using a sliding-window mechanism. But they also require considerable computation and memory resources for the storage and processing of past-time measurements and state coefficients – which is why a KF-based IM approach is ultimately pursued. Still, in this work, the batch IM approach is used to derive results that will be extended to KF-IM. For instance, given a time sequence of measurements and state dynamics, the fact that the current-time state estimates are identical for a KF and for a batch estimator is exploited. Also, measurements stacked in a batch can be expressed in a single equation, which is much easier to analyze than a KF (which iteratively processes multiple equations). Finally and most importantly, batch-IM highlights two conditions that facilitate the evaluation of a tight bound on the integrity risk: first, the state estimate and detection test statistic are statistically independent, and second, their probability distributions are known. The KF-IM test statistic is specifically designed to satisfy these two keyconditions. Section III describes the KF-IM. In the first part of Section III, the weighted norm of the current-time KF residual is shown to be independent from the estimate error, and it is proved to follow a generalized non-central chisquare distribution, whose parameters are fully identified. Thus, the current-time KF test statistic fulfills the two key-conditions that enable the determination of a tight bound on the integrity risk. But the KF also generates pasttime residuals, which could be exploited to improve detection of faults that persist in time, and could provide early indicators of threats affecting current-time and future-time state estimates. Therefore, in the second part of Section III, a cumulative KF-IM test statistic is established using both current and past-time residuals. First, the probability distributions of past-time residuals are defined. Second, it is proven that current-time state estimates and past-time residuals are statistically independent. Third, the random parts of current-time and past-time residuals are shown to be mutually independent. As a result, KF-IM achieves rigorous integrity risk bound evaluation using a test-statistic that can be recursively updated, by simply adding a current-time component to an accumulated past-time residual-based test statistic. In addition, in Section IV, a method is developed to derive the worst-case fault affecting a measurement sequence. Measurements collected during the filtering period are all vulnerable to rare-event integrity threats. In order to capture the impact of such failures over time, a set of realistic fault modes can be considered including impulses, steps, and ramps of all magnitudes and start times. But this set of canonical faults does not constitute a

comprehensive description of all integrity threats. To circumvent this problem, a new concept is introduced for the batch-IM implementation with the derivation of theoretical worst-case faults, which maximize the integrity risk. Worst-case fault profiles are instrumental in evaluating bounds on the integrity risk. Finally, in Section V, the integrity monitoring performance of both batch-IM and KF-IM is illustrated with an application to aircraft precision approach navigation. Sequences of code and carrier phase GNSS measurements are used for positioning and real-valued (floating) cycle ambiguity estimation. Batch-IM and KF-IM are evaluated against single-satellite fault profiles for different satellite geometries. System availability is quantified assuming a near-future GPS/Galileo carrier-phase based navigation system, at multiple locations over the Contiguous United States (CONUS).

II.

Batch Residual-Based Integrity Monitoring

The batch least squares residual-based fault-detection algorithm (or batch-IM) was previously implemented in a satellite-based navigation system [36] as a direct extension of the well-established snapshot RAIM method. BatchIM is described below for linear dynamic systems in general and will be used in Section III to derive results relevant to the KF-IM approach. A linear dynamic system is described at any discrete time k of a time-sequence (spanning from time 1 to the current time noted q ), by a measurement equation and a process equation: z k  H k x k  v k  fk

(1)

x k 1  Φ k x k  w k

(2)

where

k

= 1, 2, ... , q

zk

is the nk 1 vector of measurements at time k

xk

is the m k  1 state vector

H k is the observation matrix vk

is the measurement noise vector

fk

is the measurement-fault vector (to be detected)

Φ k is the state transition matrix

w k is the process noise vector. Vectors v k and w k are assumed normally distributed with zero mean and covariance matrices Vk and Wk , respectively. The following notation is used: v k ~ N0, Vk  w k ~ N 0, Wk  The initial state vector x 0 and the noise vectors v k and w k are all assumed to be mutually independent. If the actual measurement noise exhibits time correlation that can be linearly modeled, then the correlation model can be incorporated in Eq. (1) and (2) by state augmentation [37]. Finally, the fault vector f k is a deterministic measurement bias. Although the actual fault is unknown, the worst case fault vector f k , which maximizes the integrity risk bound, is analytically derived in Section IV.

A. General Batch Realization A general batch realization is obtained by simply stacking all measurement and process equations in a single batch measurement equation:

z Q  HQ xQ  v Q  fQ

(3)

where



z Q  z1T H 1  Φ 1    0 HQ   0  0 0     0



x Q  x1T



v Q  v1T

w1T

0  z Tk1 0 z Tk

0  z Tq

0  I    

H k 1 Φ k 1 0

0 I Hk



0

Φk

I 



x T2  xTk 1 x Tk  v Tk 1 wTk 1

  

0 0 0



0

w Tk

T

0       0  0   0  0     Hq 

xTk 1  x Tq v Tk





T

 v Tq



T



f Q  f1T

0  f kT1 0 f kT

0  f qT



T

For any time k , the capital subscript K designates the discrete times 1 to k (i.e., for the current time q , Q designates all discrete times during the time sequence). Let nQ and mQ respectively be the total numbers of measurements and states for the entire time interval. q

q 1

q

nQ   n k   m k k 1

k 1

and m Q   m k k 1

Vectors z Q , v Q , and f Q are nQ  1 , whereas x Q is mQ  1 . The nQ  mQ observation matrix H Q is assumed to be full column rank (rank mQ ) with nQ  mQ . It is worth noticing that the covariance matrix VQ of the batch measurement noise vector vQ is block diagonal, with component block matrices:

V1 , W1 ,  , Wk 1 , Vk , Wk ,  , Vq Again, models of the measurement noise correlation can be incorporated by state augmentation [37]. Also, prior knowledge on state variables can be introduced by measurement augmentation (see [36] for example batch realizations), while preserving the block-diagonal structure of VQ and the general batch formulation of Eq. (3).

B. Batch Measurement-Based State Estimation The batch least-squares state estimate vector xˆ Q|Q of xQ with covariance matrix PQ|Q (the subscript ‘ Q | Q ’ indicates an estimate of all states using all measurements), is given by:

xˆ Q|Q  S Q z Q

(4)



PQ|Q  H TQ VQ1H Q



1

where SQ is the pseudo-inverse of the observation matrix H Q (of rank mQ with nQ  mQ ) weighted by VQ1 :



S Q  HTQ VQ1H Q



1

H TQ VQ1

(5)

The state estimate error δxQ|Q is defined as:



δx Q|Q  xˆ Q|Q  x Q  S Q v Q  f Q



(6)

Hazardous conditions are often determined based on a single current-time state xq|Q . (For the example aircraft approach application investigated in Section V, the emphasis is on the vertical position coordinate at current-time q given measurements 1 to q , hence the subscript ‘ q | Q ’.) For clarity of notation, boldface characters are used for vectors and matrices (e.g., δxQ|Q ) whereas italics designate scalars (e.g.,  xq|Q ). The scalar  xq|Q can be written as:

xq|Q  TXT δx Q|Q

(7)

where TX is a mQ  1 vector of zeros except for a single element, corresponding to the state of interest, with a value of 1. The distribution of  xq|Q is expressed as:

xq|Q ~ N( q|Q , TXT PQ|Q TX )

(8)

where the mean q|Q is a function of the fault vector f Q .

 q|Q  TXT S Q f Q

(9)

The worst case fault vector f Q derived in Section IV will be used in place of the unknown vector f Q to evaluate an upper bound on the integrity risk.

C. Batch Residual-Based Fault Detection Similar to the snapshot residual-based IM approach [38], a batch residual vector rQ |Q is defined as:

rQ|Q  z Q  H Q xˆ Q|Q

(10)

The norm of rQ |Q weighted by VQ1 is the batch detection test statistic: rQ|Q

2 VQ1

 rQT|Q VQ1rQ|Q

From snapshot fault detection analysis [38], the test statistic rQ|Q

2 VQ1

(11)

is known to follow a non-central chi-square

distribution with nQ  mQ degrees of freedom (assuming nQ  mQ ) and non-centrality parameter Q2|Q . The following notation is used: rQ|Q

2 VQ1



2 ~  NC nQ  m Q ,  2Q|Q

Q2 |Q  f QT VQ1 (I  H Q S Q )f Q



(12) (13)

where I is the identity matrix of appropriate dimensions. A worst-case value for Q2|Q will be established using the fault vector f Q derived in Section IV.

D. Integrity Risk Evaluation for Batch-IM Integrity risk requirements are specified in terms of an alert limit  , a continuity risk requirement PC , R , and an integrity risk requirement PI ,R [5]. The following events are considered. 

The risk of hazardous information is defined as the probability of the estimate error  xq|Q exceeding  .



A fault is undetected when the test statistic rQ|Q

2 VQ1

is smaller than a threshold TQ|Q .

The detection threshold TQ|Q is set in compliance with PC , R to limit the probability of false alarms under fault-free (FF) conditions [38]. TQ|Q is derived from the following equation: P  rQ|Q 

2 VQ1

 TQ |Q | FF  PFF  PC , R . 

(14)

where the probability of FF conditions PFF is typically approximated to 1. In the presence of a fault (conditional event ‘F’), the integrity risk PI is defined as a joint probability:  PI  P x q|Q  , rQ|Q 

2 VQ1

  TQ|Q F  PF 

(15)

where the prior probability of fault occurrence PF is typically determined using a history of experimental data (e.g., as in [39]). An upper bound PI on the integrity risk PI is established by substituting the worst case fault vector f Q (derived in Section IV) for f Q in Eq. (9) and (13). PI is then used to assess whether the integrity performance criterion is fulfilled, i.e., if the following availability criterion is satisfied:

PI  PI  PI , R From snapshot residual-based fault detection analysis, the random parts of  xq|Q and rQ|Q

(16) 2 VQ1

have been proved

to be statistically independent [38, 40]. It follows from Eq. (15) that the integrity risk and its bound can be expressed as products of probabilities:





PI  P x q|Q   F P rQ|Q 

Since the probability distributions of  xq|Q and rQ|Q

2 VQ1

2 VQ1

TQ|Q F  PF 

(17)

are fully defined in Eq. (8) and (12) (using f Q instead of

f Q ), the integrity risk bound PI of batch-IM can be evaluated. This derivation shows that the two conditions (a) independence between state estimate error and detection test statistic, and (b) knowledge of their probability distributions are instrumental when evaluating the integrity risk bound PI . In Section III, a KF-based test statistic is specifically defined to satisfy these two key-conditions. But before tackling the KF-IM algorithm, a transitional step is provided by breaking down the batch residual vector into current and past-time components.

E. Partitioning the Batch Residual: Equivalent Forward-Backward Smoother Formulation A fault-detection method is considered based on a forward-backward smoother (FBS) [41], which is equivalent to a batch, but is computationally more efficient (see [42] for additional details). The batch residual is partitioned into individual residual components at each sample time, for the measurement and for the process equations. Each individual component can be expressed by substituting the definitions of z Q ,

xˆ Q|Q and the sparse batch observation matrix H Q in Eq. (3) into the residual definition of Eq. (10):

rQ|Q

 r1|Q   z 1  H 1xˆ 1|Q   r   ˆ ˆ  W ,1|Q    Φ1 x1|Q  x 2|Q              rk |Q    z k  H k xˆ k |Q  r   Φ xˆ  xˆ  k k |Q k 1|Q  W , k |Q           r   z  H xˆ  q q q|Q  q|Q   

(18)

It turns out that individual residual components have simple expressions. For example, the current-time residual component rq|Q is expressed in terms of the current-time measurement vector z q , the observation matrix H q and of the state estimate vector xˆ q|Q . It can be computed at the qth forward filter iteration of the FBS (i.e., at the currenttime iteration of the Kalman filter). Also, when smoothing the data backward, state estimates xˆ k |Q are obtained at each preceding sampling time, so that all residual components rk|Q and rW ,k |Q in rQ |Q can be recovered.

In addition, the batch measurement noise covariance matrix VQ is block-diagonal. It follows that the weighted norm squared of the batch residual in Eq. (11) can be expressed as:

rQ|Q

2 VQ1

q

  rk |Q k 1

2 Vk1

q 1

2

  rW ,k|Q

(19)

Wk1

k 1

Each term of the sum corresponds to an individual residual component expressed in Eq. (18), and it is weighted by it corresponding block matrix in VQ1 . Particularly relevant in this work is the fact that the current-time batch residual component rq|Q and its weighted norm can be computed using a KF. This observation is the starting point for the derivation of the KF-IM method.

III.

Kalman Filter-Based Integrity Monitoring

This section presents the mathematical development, theorems and proofs for the cumulative KF IM method. A step-by-step summary of the algorithm’s implementation is provided at the end of the section.

A. Current-Time KF Test Statistic The current-time state estimate vector xˆ q|Q and residual component rq|Q are obtained using the entire timehistory of measurements, and therefore are identical for the batch and for the KF. However, this is not the case at past-time epochs, where the KF state estimate vector xˆ k| K (at time k, given measurements 1 to k) differs from the batch estimate xˆ k|Q (at the same time k, but given measurements 1 to q, where q  k ). Therefore, the weighted norm of rq|Q is first considered as a potential detection test statistic: rq|Q

2 Vq1

 rqT|Q Vq1rq|Q

The following paragraphs address the two key-conditions that rq|Q

(20) 2 Vq1

should satisfy to enable integrity risk

evaluation. First, the current-time KF residual vector component rq|Q in Eq. (18) can be extracted from the batch residual vector rQ |Q as follows:

rq|Q  0 I rQ|Q

(21)

Because rQ |Q is known to lay in the parity space – or left null space – of H Q [38], vector rq|Q exists in a subspace of

the parity space of matrix H Q . On the other hand, δxQ|Q is derived from components of z Q that belong to the range of H Q [38], i.e., to the column space of H Q , which is the orthogonal complement of its left null space. Therefore, all elements of rq|Q are linearly independent from any element of δxQ|Q , which ensures that the weighted norm rq|Q

2 Vq1

is statistically independent from x q|Q (a more detailed argument on orthogonality and independence is

given in the third paragraph of Appendix C). It follows that the integrity risk bound can be expressed as a product of probabilities:





PI  P x q|Q   F P  rq|Q 

2 Vq1

Tq|Q F  PF 

(22)

It can be noted that KF innovation-based test statistics are not pursued in this work because, unlike the residual rq|Q in Eq. (18), the KF innovation ( z q  H q xˆ q|Q 1 ) is not independent from xˆ q|Q . Second, the probability distribution of  xq|Q is given in Eq. (8), so that the probability of hazardous information, noted P(x q|Q   | F ) in Eq. (22), can be evaluated for the worst-case fault f Q . However, the probability distribution of rq|Q

2 Vq1

is as yet unknown. It is important to note that while the distribution of the total sum of partial

test statistics in Eq. (19) is fully defined (by Eq. (12)), the distribution of individual terms of the sum is nevertheless undetermined.

Theorem I: Probability Distribution of the Current-Time Test Statistic The current-time test statistic rq|Q

2 Vq1

follows a generalized non-central chi-square distribution because it can

be expressed as a weighted sum of independent non-central chi-square distributed random variables (proof in Section A of the Appendix): rq|Q

2 Vq1

p A ,q

   A2 ,i ,q y A2 ,i ,q

(23)

i 1

where the weights  A,i ,q and the independent random variables y A,i,q can be determined by singular value decomposition (SVD) of the nq  nQ matrix A :





A  Vq1 / 2 0 I  I  H Q S Q VQ1 / 2

(24)

The index i in Eq. (23) ranges from 1 to p A,q , where p A,q a is the number of non-zero singular values of A at

A  U LA Λ A U TRA .

current time q . The SVD is noted:

The coefficient  A,i ,q is the ith non-zero element of the diagonal matrix Λ A and





y A,i,q ~  TAT U TRA VQ1 / 2 f Q , 1 where the matrix TAT  0 1 0 is used to extract the ith row of U TRA .

Equation (23) defines a generalized non-central chi-square distribution. It cannot be expressed analytically without an integral form or an infinite sum [43], but its cumulative distribution function (CDF) can be computed numerically to any desired level of accuracy using published algorithms (reference [44] is used in this work). However, Theorem I expresses the probability distribution of a partial test-statistic in terms of batch matrices (subscripts Q in Eq. (24)). In practice, processing batch matrices is computationally and memory expensive, so a recursive version is defined below. Consider the current-time KF measurement update equation:





xˆ q|Q  K q z q  I  K q H q xˆ q|Q 1

(25)

where K q is the current-time KF gain. The right-hand-side terms in Eq. (25) were arranged to isolate two statistically independent random vectors z q and xˆ q|Q 1 . Also, Eq. (18) established that:

rq|Q  z q  H q xˆ q|Q

(26)

Substituting Eq. (25) into (26) results in:









rq|Q  I  H q K q z q  H q I  K q H q xˆ q|Q 1

(27)

This current-time residual component is normally distributed with covariance matrix



 

R q|Q  I  H q K q Vq I  H q K q









T



T

 H q I  K q H q Pq|Q 1 I  K q H q H Tq

(28)

where Pq|Q1 is the state prediction covariance matrix of xˆ q|Q 1 . Equations (27) and (28) set the basis for the proof of the Corollary to Theorem I.

Corollary to Theorem I: Distribution of the Current-Time Test Statistic for Recursive Implementation The current-time test statistic can be expressed as: rq|Q

pq

2 Vq1

   i2,q y i2,q

(29)

i 1

where  i,q are the pq non-zero singular values of the nq  nq matrix B ,

B  Vq1 / 2 R1q/|Q2  U L ΛUTR and



yi ,q ~  0  i,1q





(30)





0 UTL Vq1 / 2 f q  H q μ q|Q , 1

(31)

where f q is the current-time vector component of f Q and μ q|Q is the mean of δx q|Q . A complete proof of this corollary is presented in Section B of the Appendix (the proof is complicated by the fact that, in general, R q|Q is not full-rank). In practice, to evaluate the bound on the integrity risk, the mean of y i , q in (31) is computed for the worst-case fault vector f q (derived in Section IV) and for the worst-case mean of δx q|Q . The latter is obtained by running a KF in parallel to the actual state estimator, with deterministic observation-inputs f k instead of z k , for k  1,..., q . The entire integrity risk bound evaluation process is summarized at the end of Section III. At this point, it was shown that the weighted norm of the current-time KF residual in Eq. (20) enables direct integrity risk bound evaluation because it is independent of the current-time state estimate error, and because its probability distribution is fully defined. The next paragraphs will show that past-time KF residuals can also be exploited. Past-time residuals can improve the detection of faults that persist in time, and provide early indicators of faults affecting current-time state estimates.

B. Cumulative KF Test Statistic The method described in this section shows how past-time KF residuals rk | K can be used to compute a cumulative KF-IM test statistic. Unlike current-time state estimates and residual vector components, past-time components for the KF ( xˆ k| K and rk | K ) differ from the batch components ( xˆ k|Q and rk |Q ). In response, at any pasttime epoch k, a subset batch measurement equation is considered, represented in Fig. 1 as a partition of the full batch

(introduced in Eq. 3). The subset batch measurement equation is expressed as: zK  HK xK  vK  fK The subset batch representation facilitates the analysis of rk | K . For instance, the state estimate vector xˆ k| K at epoch k is the same for the KF as for the subset batch. And results that were established at the last epoch of the full batch are valid at the last epoch of the subset batch. In particular, the partial residual component at epoch k is the same for the KF and for the subset batch, and is given by:

rk|K  z k  H k xˆ k|K

(32)

The weighted norm of the residual in Eq. (32) is written as:

rk |K

2 Vk1

 rkT|K Vk1rk|K

(33)

which can easily be computed at epoch k using a KF. One can briefly note that the full batch residual vector in Eq. (18) included contributions rW ,k |Q from the state transition model. In contrast, residual components corresponding to KF state predictions are null:

rW ,k |K  Φ k xˆ k|K  xˆ k 1|K  0 This means that the KF-IM residual is ineffective in detecting plant and actuator faults. In systems that are vulnerable to these types of threats, batch-IM (or forward-backward smoother IM) can be implemented instead. The next paragraphs will show that rk |K

2 Vk1

satisfies the two key-conditions required for accurate integrity risk

evaluation.

Fig. 1 Full Batch and Subset Batch Realizations

First, the probability distribution of the partial residual’s weighted norm rk |K

2 Vk1

is determined using Theorem I

and its Corollary. Theorem I can be derived for the last epoch of the subset batch instead of the full batch. Proof of the Corollary for past-time residuals is easily established using Eq. (32). Both Theorem I and its Corollary remain valid when replacing current-time subscripts q and Q with past-time indices k and K in the proofs of Sections A and B of the Appendix. Second, independence between the current-time state estimate  xq|Q and past-time KF residuals rk | K is established in Theorem II.

Theorem II: Statistical Independence between Current-Time State Estimates and Past-Time Test-Statistics The random parts of the current-time state estimate vector xˆ q|Q and of the past-time KF residual vector component rk | K , at any epoch k of the filtering interval, are derived from orthogonal components of the batch measurement noise vector vQ . A complete proof of this theorem is given in Section C of the Appendix, where xˆ q|Q and rk | K are expressed in terms of components of vQ respectively belonging to the range space of H Q and to the null space of H Q . Theorem II shows that both current and past-time residual components can contribute to the KF-IM test statistic. The last step of the algorithm derivation provides a straightforward solution to combine current-time and past-time residuals. The cumulative KF-IM test statistic rKF ,Q is defined as a sum of weighted norms squared of current and pasttime residual components: q

rKF ,Q   rk|K k 1

2 Vk1

(34)

Summing residual contributions over discrete times 1 to q aims at increasing fault detectability by exploiting the cumulative impact of a fault over time (similar to Eq. (19) for the batch implementation), rather than its instantaneous, current-time impact as in Section III-A. The test statistic rKF ,Q is easily, recursively updated by adding the current-time KF residual component rq|Q

2 VV1,q

to the previously computed test-statistic rKF ,Q 1 :

rKF ,Q  rKF ,Q 1  rq|Q

2 Vq1

(35)

Its probability distribution is determined using Theorem III.

Theorem III: Mutual Independence between Current-Time and Past-Time Residuals The random parts of current and past-time KF residual components rk|K at all epochs k are mutually independent. The proof of Theorem III is presented in Section D of the Appendix. It is established using Theorem II and using an expression of the partial residual rk|K akin to Eq. (27). According to Theorem III, the KF residual components rk|K whose norms squared are summed in Eq. (34) are all mutually independent. Equation (34) can be rewritten using the Corollary to Theorem I as: q

pk

rKF ,Q    i2,k y i2,k

(36)

k 1 i 1

Theorem I and III prove that the variables yi ,k are all mutually independent, normally distributed random variables. It follows that rKF ,Q in Eq. (36) is expressed as a generalized non-central chi-square distribution, whose parameters are fully identified. It is worth noticing that, in this research, the algorithm used to evaluate the distribution of rKF ,Q in (36) requires that the weights  i,k and mean values of yi ,k be stored at all discrete times k, k  1,..., q [44]. The cost in terms of memory resources is much lower than that of storing the entire sequence of measurements z k , process matrices Φ k and observation matrices H k , which is required in batch IM and forward-backward smoother IM. More efficient algorithms for the evaluation of generalized non-central chi-square distributions will be investigated in future work. Finally, Theorem II shows that the cumulative KF-IM test statistic is statistically independent from the estimate error. Let T KF ,Q be the KF-IM detection threshold, which is derived similarly to TQ|Q in Eq. (14) based on the faultfree distribution of rKF ,Q . The integrity risk bound using KF-IM for the worst-case fault vector f Q can ultimately be evaluated as:

PI  P xq|Q   F  P rKF ,Q  TKF ,Q F  PF    

(37)

Summary of the Cumulative KF-IM Method In practical operations, the cumulative KF-IM method can be used both for fault detection and for integrity risk bound evaluation. The fault-detection process is straightforward. At any discrete time q, the following steps are performed. 

The KF state estimate xˆ q|Q is used to compute the KF residual rq|Q and its norm rq|Q

2 Vq1

following Eq.

(26) and (20), respectively. The cumulative KF test statistic rKF ,Q is obtained from Eq. (35) using the previously stored value of rKF ,Q 1 . 

The detection threshold TKF ,Q is derived from the fault-free generalized chi-square distribution of rKF ,Q , which is defined by the singular values  i,q of matrix B in Eq. (30).



rKF ,Q  TKF ,Q

A fault is detected if:

In parallel, the integrity risk bound associated with this KF-based estimator/detector can be evaluated by running a second KF using the worst case fault vectors f k ( k  1,..., q ) as deterministic observation-inputs. At any time q, the following steps are performed. 

The second KF provides the mean of the estimate error vector δx q|Q assuming the worst-case fault f q .



This mean vector is used (a) to quantify the probability of hazardous information P(x q|Q   | F ) , and (b) to compute the means of the independent random variables yi,q in Eq. (31), which help define the generalized non-central chi-square distribution of rKF ,Q so that P rKF ,Q  TKF ,Q | F  can be evaluated.



The integrity risk bound PI is obtained by multiplying the product of these two probabilities with the prior probability of fault occurrence PF as expressed in Eq. (37).

The integrity risk bound provided by the cumulative KF IM method assumes a worst case fault vector f q , which is derived in Section IV.

IV.

Worst Case Fault Derivation

In order to protect the dynamic system against all potential sensor faults, the integrity risk must be conservatively evaluated. An upper bound on the integrity risk can be determined for the worst-case fault magnitude

(i.e., for the norm of the fault vector that maximizes the integrity risk), and for the worst-case fault mode. The fault mode designates the subset of measurements affected by the fault, i.e., the non-zero elements of the fault vector. In sequential fault detection, which is carried out over multiple time-epochs, IM analysis not only considers the fault mode and magnitude, but also the fault profile over time. Application-specific solutions have been implemented in the literature (e.g., [18, 26]). For instance, step and ramp-type fault models of all magnitudes and start times are assumed in [45]. Such basic fault profiles may account for some realistic integrity threats affecting some sensors, but they do not provide a comprehensive description of all potential faults. A more direct approach is investigated here by deriving theoretical faults specifically designed to maximize the integrity risk PI . In this paper, the worst-case fault profile for the batch IM process is established. For comparison purposes, the same fault profiles are used for batch-IM and KF-IM in performance evaluations of Section V. Worst-case fault profiles for KF-based method will be analyzed in future work. The worst-case fault maximizes the batch position estimate error (most hazardous) while minimizing the residual (most misleading). Fault vectors that belong to the range space of H Q (e.g., f Q  H Q xW , for any nQ  1 vector xW ) are strictly undetectable using the residual ( 2Q|Q in Eq. (13) is zero). In this case, the impact of the vector xW is entirely transferred onto the state estimate error vector δx Q|Q in Eq. (6). This observation illustrates a fundamental limitation of the residual-based fault detection method, which cannot ensure detection against faults affecting more than nQ  mQ measurements [38]. Fortunately, if measurement sources are independent, the probability of occurrence of multiple simultaneous sensor failures is often extremely low. In this work, multiple simultaneous sensor failures are assumed not to cause the number of faulted measurements to exceed nQ  mQ . This ensures that none of the fault vectors under consideration belongs entirely to the range space of H Q . A method to account for the integrity risk caused by the unlikely event of a number of failed measurements higher than nQ  mQ is provided in [45]. A fault on a subset of sensors causes a subset of elements of the fault vector f Q to be non-zero. Let nNZ be the number of non-zero elements in f Q (i.e., the number of faulty samples). As discussed in the previous paragraph, nNZ shall not exceed nQ  mQ . The vector f Q may be expressed as:

f Q  TZ f NZ .

(38)

where TZ is a nQ  n NZ sparse matrix of zeroes and ones that extracts the non-zero elements of f Q , and f NZ is the nNZ 1 vector containing these non-zero elements. Each column of TZ has a single non-zero element: a unity coefficient at the ith row and jth column of TZ attributes the jth element of f NZ to the ith measurement-fault in f Q . Equations (9) and (13) indicate that the fault vector f Q affects the mean q|Q of  xq|Q and the non-centrality parameter 2Q|Q of the test statistic rQ|Q

2 VQ1

. The ratio  q2|Q / 2Q|Q is named the failure mode slope gFM , and is

expressed as: 2 g FM 

T f NZ TZT S TQ TXT TX S Q TZ f NZ





T f NZ TZT VQ1 I  H Q S Q TZ f NZ

,

(39)

The sensitivity of the integrity risk to gFM is represented in Fig. 2, where rQ|Q x-axis and y-axis, respectively. The upper left quadrant delimited by rQ|Q

VQ1

VQ1

and  xq|Q are plotted on the

 TQ1|/Q2 and xq|Q   is the area of

hazardous misleading information (HMI), where undetected faults cause unacceptably large estimation errors (shaded area). The non-central chi distribution and normal distribution of respectively rQ|Q

VQ1

and  xq|Q explain

the ovoid shape of the contours of constant joint probability density (dotted lines). The probability of being in the HMI area is the integrity risk PI . As the fault magnitude is varied, the curve described by Q|Q and q|Q is a line passing through the origin with slope gFM (thick solid line). Figure 2 illustrates that the steeper gFM is, the larger PI becomes. The upper bound PI on PI can therefore be obtained by finding the fault vector f Q  TZ f NZ that maximizes gFM , (i.e, the “worst case” fault vector).

 xq|Q

lines of constant joint probability density

HMI Area

(a)

 g FM

 q |Q

example fault f Q

Q|Q

rQ|Q

TQ1|Q/ 2

VQ1

 xq|Q HMI Area

gFM (b)

  q |Q worst-case fault f Q

Q|Q

rQ|Q

TQ1|Q/ 2

VQ1

Fig. 2 Illustration of the Worst-Case Failure Mode Slope (a) for an Example Fault (b) for the Worst-Case Fault

In order to determine the direction of vector f NZ that maximizes gFM , a change of variable is performed by defining fNZ * as





 

f NZ *  TZT VQ1 I  H Q S Q TZ

1/ 2

f NZ .

(40)

The following definition is used in the next steps of the derivation:





 

M Z1  TZT VQ1 I  H Q S Q TZ

1/ 2

.

(41)

The matrix VQ1 (I  H QS Q ) is of rank nQ  mQ . The matrix M Z1 is nNZ × nNZ and is full rank for any TZ corresponding to a single-sensor fault (or to a fault affecting a small subset of sensors). In this case, f NZ is given by:

f NZ  M Z f NZ * , and the failure mode slope can be rewritten as:

(42)

2 g FM 

T T T f NZ * M Z M X M X M Z f NZ * . T f NZ * f NZ *

M X  TX S Q TZ .

where

(43)

(44)

2 The vector fNZ * that maximizes gFM is the eigenvector v MAX corresponding to the largest eigenvalue of the

symmetric matrix M TZ M TX M X M Z . A similar derivation can be found in [46] in the context of snapshot RAIM, for single-epoch faults simultaneously affecting multiple measurements. Finally, the worst-case fault f Q that maximizes the probability of hazardous misleading information is:

f Q  TZ M Z v MAX .

V.

(45)

Performance Analysis

Performance comparisons for an illustrative example of a near-future multi-constellation navigation system are carried out to quantify availability using batch-IM versus KF-IM, as well as using existing snapshot IM methods.

A. Availability Analysis for Aircraft Precision Approach The performance analysis is structured around an example application of precision navigation for aircraft approach and landing. During precision approach under limited visibility, the pilot makes the decision of whether to initiate or to abort the mission based on the computed integrity risk bound. Therefore, in this application, timely and accurate integrity risk evaluation is critical. In addition, aircraft approach navigation requirements are extremely stringent [5]. They are challenging to satisfy using ‘snapshot’ positioning, but might be fulfilled using measurement filtering over time. The batch-IM method could be implemented, but airplanes have limited computation and memory resources. Instead, the KF-IM algorithm can enable real-time evaluation of tight bounds on the integrity risk. In this example application, aircraft navigation is based on near-term future GNSS ranging signals from GPS and Galileo satellites. GNSS carrier phase ranging measurements are biased by cycle ambiguities, which remain constant for as long as the signal is continuously tracked. In this case, the dynamic model accounts for the constant cycle ambiguity biases. Measurement models also account for sources of time-correlated errors. These simple yet realistic measurement and process models are used to illustrate the batch-IM and KF-IM performance.

The measurement model used in this work is similar to the one described in [36]. Differential GNSS measurements used for aircraft positioning include code phase (pseudorange) ρ k and carrier phase φ k signals [47]. At each measurement time k , these observations are stacked together for all satellites in a measurement vector:

G k 1 0 ρ  φ  G 1 I n   k  k

k

 xU ,k    H ERR, ,k    k   ν      H ERR, ,k  n   ν   k   s ERR,k 

(46)

where G k is the satellite geometry matrix (made of line of sight unit vectors for all satellites in view)

xU ,k is the user position (in a local reference frame),

k

is the differential receiver clock bias

n

is the vector of differenced cycle ambiguities

Differential code and carrier phase receiver noise vectors are respectively defined as:



v  ,k ~ N 0, I 2





and v  ,k ~ N 0, I 2



(47)

The assumed values for the standard deviations   and   of differential code and carrier measurements respectively are 0.80 m and 0.01 m. In addition, a vector of error states s ERR is appended to the estimated states to incorporate the dynamics of the error sources described below. The matrix H ERR contains the corresponding state coefficients. The process equation accounts for various types of dynamics. It is expressed as:

0   xU ,k   w U   xU ,k 1  0 0 0      0 0      k   w T   k 1  =  +  n    I 0  n   0         s ERR,k 1  0  0 Φ ERR,k  s ERR,k  w ERR  k

(48)

Equation (48) includes states xU ,k and  k whose time propagation is unknown. No external information is used to model the position state dynamics. In order to avoid setting limitations on aircraft motion, the assumed process noise components wU and w T are modeled as zero-mean normally-distributed variables with very large standard deviations, so that the covariance matrix of the unknown position states is reinitialized at each time-update. The

cycle ambiguity vector n is initially unknown, but is constant over time (the corresponding process noise vector component is 0 ). The vector w ERR is the process noise on error states s ERR . The satellite ranging error models (captured in H ERR , Φ ERR , s ERR , and w ERR ) are described in detail in [36]. They are not essential for the performance analysis, but they were included to demonstrate that KF-IM can be efficiently implemented in a realistic dynamic system. Thus, nominal satellite orbit ephemeris errors are modeled as ramps over time with constant gradients. Vertical tropospheric decorrelation is modeled as an exponential function of the change in aircraft altitude multiplied by a constant tropospheric refractivity index [48]. The unknown but constant gradients and tropospheric parameter are included as states in s ERR and assumed constant over time (corresponding elements in w ERR are zero-valued). Ionospheric delay is eliminated using dual-frequency code and carrier measurements [49]. Time-correlated noise due to multipath signal reflections is modeled as a first order Gauss Markov Process (GMP) with a 1 min time-constant, and is also incorporated by state augmentation in s ERR (the corresponding elements in w ERR are the zero-mean normally-distributed driving noise vector of the multipath error’s GMP). The fault vector f k in this performance analysis assumes single-satellite faults. Satellite faults are described in [39]. Fault sources include, for example, satellite out-gassing, thruster firing, satellite clock instability, and erroneous orbit ephemeris broadcast. Their impact on ranging measurements can cause steps, ramps, sinusoids, and even more complicated fault profiles are mentioned in [39]. Based on the information provided in [39], the prior probability of fault PF is conservatively assumed to be 10 4 (the same number is used in [5]). The fault-free measurement equation (46) and process equation (48) are expressed in the form of Eqs (1) and (2). The worst-case fault f k given in Eq. (45) is considered. Equations (46), (48), and (45) are used to evaluate bounds on the integrity risk using batch-IM and KF-IM as described in Eq. (17) and (37) of Sections II and III, respectively. In this analysis, the airplane is assumed to follow a straight-in trajectory toward the runway, at a constant 70 m/s velocity, along a constant 3 deg glideslope angle. Hazardous information is determined based on the vertical position coordinate. Navigation requirements in Eq. (14), (17) and (37) include a vertical alert limit  of 10 m, a continuity risk requirement PC , R of 8 10 6 and an integrity risk requirement PI ,R of 107 [5].

Measurements are assumed sampled over a 5 min mission duration. The computational load assuming a 1 s sampling interval on a typical personal computer was prohibitive for this analysis (processing time is analyzed in Section V-B). Therefore, a 20 s sampling interval was selected. The same set of measurements is assumed when comparing batch IM and KF IM. To account for different satellite geometries, approaches starting at regular 4 min intervals are considered over a 24 hour period. The fraction of approaches that meets the integrity performance criterion in Eq. (16) over the total number of simulated approaches is the measure of fault-detection performance called availability.

B. Performance Comparison between Batch-IM and KF-IM over CONUS The performance of the batch and KF integrity monitoring methods is analyzed for a 5 deg 7.5 deg latitudelongitude grid of locations over CONUS. The same sequence of measurements and the same fault profiles are used in both algorithms. Figures 3 and 4 present availability maps for the batch-IM and KF-IM methods, respectively. Availability is color-coded: white color corresponds to a value of 100%, black represents 85%. Constant availability contours are also displayed. In both batch-IM and KF-IM, availability ranges between 96% and 100%. Higher availability for batch-IM is to be expected because the sensitivity of past-time batch residuals (computed using xˆ k|Q in Eq. (18)) is higher than that of past-time KF residuals (derived from xˆ k| K ). Still, for this example application, the new recursive KF-based fault-detection algorithm performs almost as well as batch-IM, which is much more computationally and memory intensive.

N 1 0.995

95 0. 9

40 

99 5 0.

5 9 0.9 0. 99

0.

99

N

0.99

50 

1 0. 9 9 0.9 95

0.99

0. 98

1

0. 99 5 0.99



100 W



1

110  W

5 0. 99

W

9 0.9 0. 98

8 0. 9

120 

1

N

9 .9 95 0 0. 9

30 

0.995

1

98 0.

90 W

 80 W

Fig. 3 Availability Map for Batch-IM

 70 W

0.9 9 0.9 95

0.9 0.99 95



100 W



1

5 0.99 9 0. 9

0.98

8

1 10  W

0 .9

9 0.9

W

5 99 0.

8 0.9

1 20 

1

1

1

N

0.98

0.

0.99

1

30

1 0.995 0.99

5 99 0.

N

8 0.9

0. 995

40 

99

N 0. 99

50

90 W

 80 W

 70 W

Fig. 4 Availability Map for KF-IM

The cost in terms of memory resources of batch-IM versus KF-IM was discussed in Section III-B. To analyze the computational cost, it can be noted, as mentioned in Section V-A, that the simulation time of batch IM for this analysis would have exceeded several weeks using a 1 s sampling interval. Processing time assuming a 1 s sampling interval was further quantified at one example location (25deg latitude East, -80 deg longitude North), using a standard desktop personal computer. Both algorithms were evaluated against the same worst-case faults, whose computation time was not included because, as acknowledged in Section IV, fault profile derivation for the KFbased method is part of future work. The resulting simulation running time for a single, 300 s-long aircraft approach was 140.5 s using batch-IM, as compared to 0.3 s using KF-IM, which, unlike batch-IM, is a truly sequential algorithm and therefore only requires 0.001 s between samples. In addition, for aircraft approaches simulated over 24 hours, the running times for KF-IM were 5.6 s, 8.5 s and 16.5 s for sampling intervals of 30 s, 20 s and 10 s, respectively. In comparison, processing times using batch-IM were much longer and amounted to 12.2 s, 24.3 s and 129.4 s, respectively. As the number of measurements increases, i.e., as sampling time decreases, the differences between KF-IM and batch-IM are accentuated because on the one hand, batch matrices become larger, whereas on the other hand, additional KF updates are performed but using KF matrices of unchanged dimensions. Despite preliminary modifications of the algorithm given in [44], which are beyond the scope of this paper, the most time-consuming procedure in KF-IM is the evaluation of the non-central generalized chi-square distribution. Further improvement of this algorithm will be investigated in future research.

N

0. 8 8 0.

0.7

0.6

0.7

50 

0.7

0.7

0.5

0.6

0.6

N

0.6

1 10  W

0. 6

W

7 0.

1 20 

0. 6

30 

0.6

N 0. 7

40 



100 W



80 W



90 W

 70 W

Fig. 5 Availability Map Using Only the Current-Time KF-IM Residual

Figure 5 displays the availability map of a KF-IM approach that only uses the norm of the current-time residual as test statistic (as derived in Section III-A). The color code was modified in Fig. 5 where black corresponds to 40%, white to 100%. Availability drops below 50% at a few locations, versus 96% for the lowest availability obtained using cumulative KF-IM. Figure 5 emphasizes the benefit of using both current and past-time KF residuals.

C. Improvement Brought by KF-IM over Existing Snapshot IM Methods Snapshot IM algorithms such as RAIM [7-9, 38] can provide bounds on the integrity risk corresponding to the worst case fault. Snapshot IM performance is first evaluated using current-time measurements only. In this case, availability of integrity in the presence of faults drops as low as 40%, as shown in Fig. 6, which uses the same color code as in Fig. 5. But even more significant is the result in terms of availability of fault-free (FF) integrity. The integrity risk under FF conditions is defined as:





PI , FF  P xq|Q   FF PFF where PFF was defined in Eq. (14). The FF availability criterion specifies that PI , FF should be below a required value [5] of 107 in this example. This criterion did not need to be mentioned earlier because it did not impact the overall navigation performance (FF availability was 100% at all locations in Fig. 3-5). But FF availability is the driving performance limitation for snapshot IM. This result emphasizes the fact that many applications, including GNSS-based aircraft precision approach navigation, require measurement filtering over time.



100 W



90 W

0.7

0.6 0.6

0.6

0.5

0. 5

1 10  W

0.6

0.8

W

0.7

0.7

0.7

0. 7

0.7

N

1 20 

0. 9

8 0.

 80 W

0.5

0.6 0.5

0.6 0.5

0.7

0.7

30 

0. 8 0.8 5

0. 7

0.6

N

0.8

40 

0. 9 5 0.8

0.6

0. 5

0. 9 5

N 0.6

50

 70 W

Fig. 6 Map of Availability of Integrity in Presence of Faults for Snapshot IM Using Only Raw, Current-Time Measurements

Therefore, instead of using raw measurements, snapshot IM is evaluated again, but using pre-processed data. The impact of receiver noise on GNSS ranging signals can be reduced at the measurement level (by smoothing code measurements using time-differenced carrier signals as described in [4]). The filtered measurements are then utilized for snapshot weighted least-squares position estimation. Even though this approach is GNSS-specific, it is worth considering because it is representative of existing implementations [4-6]. The snapshot approach is also computationally efficient, but it does not exploit the system’s dynamics. For instance, in this example application, the motion of the satellites over the filtering period was shown to improve cycle ambiguity estimation in [50]. This leverage is exploited in batch-IM and KF-IM, but it is not in snapshot-IM. Figure 7 is the availability map obtained for snapshot-IM using pre-processed data (assuming the same sequence of measurements as in Fig. 3 to 6). The color code is the same as in Fig. 3 and 4. FF availability is 100% at all locations. The map shows a substantial drop in availability (in the presence of faults) as compared to KF-IM in Fig. 4. The lowest availability value for snapshot-IM is 86% versus 96% for KF-IM. This analysis illustrates the potential of KF-IM to exploit the information provided by both the measurements and the system dynamics in order to establish tight bounds on the integrity risk.

N

 80 W



100 W

90 W

0.9

0.95

0 0.9 .99 8

98 0.

0.95

0.9 

8 0.9

95 0.

1 10  W

0.95

W

0.9

1 20 

0 .9 8

0.98

0. 98

N

95 0.9

0. 99

0.95

0. 95

N

9 0.9

30

0. 9 8 0. 99 0.9 95 5

5 0.9

40 

9 0. 9

95 0.

0.9 5

50 

 70 W

Fig. 7 Availability Map of Snapshot IM Using Pre-Filtered Measurements

VI.

Conclusion

This paper introduced a new Kalman filter-based sensor fault detection method for dynamic systems that require measurement filtering over time. A recursively-updated Kalman filter integrity monitoring (KF-IM) test statistic was designed to exploit both current-time and past-time residual contributions while satisfying two key-conditions. First, the test statistic was proved to be statistically independent from the current-time state estimate error. Second, it was shown to follow a generalized non-central chi-square distribution. As a result, this easy-to-implement KF-IM algorithm enables direct and rigorous integrity risk evaluation. Availability analyses were carried out for an example aircraft navigation application where differential Global Navigation Satellite System (GNSS) carrier phase signals were used for positioning. Results showed that the new recursive method could achieve a level of performance similar to that of a much more computationally and memory-expensive batch fault-detection process. KF-IM opens the possibility for efficient, real-time Kalman filter-based estimation with the assurance of a tight bound on the integrity risk.

Appendix A. Proof of Theorem I: Probability Distribution of the Current-Time Test Statistic The current-time component of the batch residual vector can be expressed using the definitions of Eq. (4), (10), and (18) as:





rq|Q  0 I  I  H Q S Q z Q . The first step of the proof is to normalize the measurement vector z Q . Consider the change of variable

(49)



z Q*  VQ1 / 2 z Q

, z Q* ~  VQ1/ 2f Q , I



(50)

The vector z Q* of independent, identically distributed (i.i.d.) random variables is substituted back into Eq. (49):





rq|Q  0 I  I  H QS Q VQ1/ 2 z Q* .

(51)

The weighted norm of rq|Q defined in Eq. (20) can be expressed as a quadratic form of i.i.d. Gaussian random variables: 2

rq|Q

Vq1

 z TQ* A T Az Q*



(52)



A  Vq1 / 2 0 I I  H QS Q VQ1 / 2

where

(53)

The singular value decomposition (SVD) of A is noted:

A  U LA Λ A U TRA

(54)

Substituting Eq. (54) into (52) and simplifying yields: rq|Q

2

 z TQ* U RA Λ 2A U TRA z Q*

Vq1

(55)

A second change of variable is used to recover a known quadratic form:



y A  UTRAz Q* , y A ~  U TRA VQ1 / 2 f Q , I rq|Q

2 Vq1



 y TA Λ 2A y A

(56) (57)

which is equivalent to Eq. (23): rq|Q

p A ,q

2 Vq1

   A2 ,i ,q y A2 ,i ,q i 1

The coefficient  A,i ,q (subscript i ranging from 1 to p A,q at current time q ) is the ith non-zero element of the diagonal matrix Λ A . The independent random variables y A ,i , q are defined as:

y A,i ,q  TAT y A where the row vector TAT  0 1 0 is used to extract the ith element of y A . Variables y A ,i , q can be written as:





y A,i,q ~  TAT U TRA VQ1 / 2 f Q , 1 . This concludes the proof of Theorem I.

B. Proof Of Corollary to Theorem I: Distribution of Current-Time Test Statistic for Recursive Implementation The corollary to Theorem I aims at expressing the probability distribution of rq|Q

2 Vq1

without the batch matrices

used in Eq. (24). Equations (27) and (28) provide expressions of the current-time residual vector and covariance matrix:









rq|Q  I  H q K q z q  H q I  K q H q xˆ q|Q 1 R q|Q  I  H q K q Vq I  H q K q   T

H q I  K q H q Pq|Q 1 I  K q H q  H Tq T

In general, R q|Q is not invertible, which prevents direct derivation of the proof of the Corollary to Theorem I using a method akin to the proof of Theorem I. Instead, the development starts by defining a matrix B :

B  Vq1 / 2 R1q/|Q2

(58)

B  U L Λ U TR

(59)

The SVD of B is noted:

Matrix Λ is diagonal, with diagonal elements the singular values of the positive semi-definite matrix B . Without loss of generality, the singular values of B are assumed to be arranged in descending order on the diagonal of Λ (zero-valued singular values are grouped together on the diagonal of Λ ). Let Λ NZ be the block matrix of Λ containing all non-zero singular values. Λ NZ  T ΛTT T  I 0  .

where Matrix Λ can also be rewritten as Λ  TT Λ NZ T . In addition, a vector y is defined as:

y  Λ NZ1 T U TL Vq1 / 2 rq|Q

(60)

Vq1 / 2rq|Q  U L TT Λ NZ y

(61)

which yields:

Equation (61) is used to express the weighted norm of the residual as a quadratic form similar to Eq. (57). Equation (20) is rewritten as: rq|Q

2 Vq1

 rqT|Q Vq1 / 2 Vq1 / 2 rq|Q

(62)

Substituting Eq. (61) into (62) yields: rq|Q

2 Vq1

 y T Λ 2NZ y

(63)

which is equivalent to Eq. (29): rq|Q

2 Vq1

pq

   i2,q y i2,q . i 1

The coefficient  i,q (subscript i ranging from 1 to p q ) is the ith element of the diagonal matrix Λ NZ . The normally distributed random variable y i ,q is the ith element of vector y . The covariance matrix of y is expressed by multiplying both sides of Eq. (60) by its transpose and by taking the expected value of the result:

{yy T }  Λ NZ1 T U TL Vq1 / 2 R q|Q Vq1 / 2 U L TT Λ NZ1

(64)

where {} is the expected value operator. Then, both sides of Eq. (64) are pre-multiplied by U R Λ 2 TT and postmultiply by T Λ 2 U TR . This expression can be simplified using the fact that Λ 2 TT Λ NZ1 T  Λ , and by substituting Eq. (59) and (58) into the resulting expression, which yields:

U R Λ 2 TT {yy T }T Λ 2 UTR  B T BBT B

(65)

In addition, because U TL U L  I and substituting Eq. (59) for U L ΛU TR , Eq. (65) can be rewritten as:

B T U L ΛTT {yy T }T ΛUTL B  B T BBT B The assertion that {yy T }  I is equivalent to

B T U L ΛΛUTL B  BT BBT B which can be rewritten as:

B T U L ΛUTR U R ΛUTL B  B T BBT B .

(66)

Substituting Eq. (59) into the left hand side of (66) shows that this expression is true. Therefore it must be true that

{yy T }  I .

(67)

Finally, Eq. (67) shows that the random variables y i ,q in Eq. (29) are mutually independent for i ranging from 1 to p q . Their probability distribution is given by:



yi ,q ~  0  i,1q





0 U TL Vq1 / 2 μ R ,q|Q , 1

(68)

where μ R ,q|Q is the mean vector of rq|Q . Vector μ R ,q|Q can be written in terms of the current-time vector component f q of f Q and of the mean μ q|Q of δx q|Q as: μ R ,q|Q  f q  H q μ q|Q .

This concludes the proof of the Corollary to Theorem I.

C. Proof of Theorem II: Statistical Independence between Current-Time State Estimates and Past-Time Residuals For the purpose of this derivation, the fault-free batch measurement equation is considered:

z Q  HQ xQ  v Q

(69)

As discussed in Section I, the batch-IM implementation enables to derive results that will be extended to KF-IM in order to prove Theorem II. The fault vector f Q in Eq. (3) is left aside because deterministic parts of the measurement error do not affect the determination of statistical independence. In this work, the terms ‘statistical independence’ or ‘stochastic independence’ designate independence of random parts of two or more vectors of variables. As in Appendices I and II, a change of variable is used to normalize the measurement equation:

z Q*  H Q* x Q  δz Q

(70)

z Q*  VQ1 / 2 z Q

(71)

where:

H Q*  VQ1 / 2 H Q and δz Q  VQ1 / 2 v Q The resulting measurement error distribution is given by:





δz Q ~  0 , I , The state estimate and estimate error vectors can be expressed using the measurement Eq. (70) as:

xˆ Q|Q  S Q* z Q* , δx Q|Q  S Q*δz Q



S Q*  H TQ* H Q*

where



1

(72)

H TQ*

(73)

The measurement error vector δzQ can be expressed as a sum of two orthogonal complements:

δz Q  δz //,Q  δz ,Q ,

(74)

 

where δz //,Q is the vector component of δzQ that belongs to the column space of HQ* (i.e., δz //,Q  Range H Q* ) and δz ,Q is the vector component of δzQ belonging to the parity space of HQ* (i.e., δz  ,Q  Null HTQ*  ). The two vectors can be expressed as:

δz //,Q  H Q*S Q*δz Q





and δz ,Q  I - H Q*S Q* δz Q

Vectors δz //,Q and δz ,Q are uncorrelated because:



E δz ,Q δz T//,Q



0

Since δz //,Q and δz ,Q are also jointly normally distributed (as they can be expressed as linear combinations of elements of δz Q ), they are statistically independent. In this two-part derivation, the current-time estimate error δx q|Q is first shown to only be a function of δz //,Q , and then it is proved that δz //,Q does not contribute to the past-time KF residual rk | K (which is only a function of

δz ,Q ). First, the current-time state estimate error can be expressed in terms of the batch vector:

δx q|Q  0 I δx Q|Q .

(75)

Substituting Eq. (72) into (75) and using the definition of Eq. (74) yields:





δx q|Q  0 IS Q* δz //,Q  δz ,Q .

(76)

Considering the definition of SQ* in Eq. (73), and because δz ,Q is orthogonal to the columns of HQ* the product

HTQ*δz ,Q is zero. The result is then: δx q|Q  0 I S Q* δz //,Q .

(77)

The second part of the derivation aims at expressing past time KF residuals rk | K (at discrete times k , for k ranging from 1 to q ) as a function of batch measurement error vector components δz //,Q and δz ,Q . The subset batch residual vector is expressed using Eq. (4) and (10) for the subset batch represented in Fig. 1 (there are no complications in the normalization step – indicated by ‘*’ subscripts – because VQ is block diagonal):

rK |K  I  H K *S K * z K * .

(78)

The subset batch measurement equation (akin to Eq. (70)): z K *  H K * x K  δz K can be substituted into Eq. (78), which results in:

rK |K  I  H K *S K * δz K .

(79)

because S K * H K *  I . In addition, the relationship between subset and full batch measurement vectors is captured in the following equation:

δz K  I 0δz Q

(80)

Substituting Eq. (80) into (79) and using the definition in (74) yields:



rK |K  I  H K * S K * I 0 δz //,Q  δz  ,Q



(81)

Next, it is shown show that:

I  H K*S K* I

0δz //,Q  0

(82)

It is worth noticing that I  H K *S K *  is a projection operator onto the orthogonal complement of the range of

 

RangeH K *  , and not of Range H Q*

to which δz //,Q belongs. Therefore Eq. (82) is not self-evident. The vector

δz //,Q can be expressed as: δz //, Q  H Q* u ,

uR

mQ

(83)

where u is a mQ  1 vector of real numbers. In addition, refer to Fig. 1 to see that HQ* can be partitioned as: H H Q*   K *  X

0  X

(84)

where ‘X’ indicates block matrices that are not directly relevant to this derivation. Substituting Eq. (84) into (83) and substituting the result into the left-hand-side of Eq. (82) yields:

I  H K *S K* I

H 0 K *  X

0 u X

(85)

which simplifies to

I  H K*S K *  H K*



0u.

(86)

S K*H K*  I

Because

(87)

it must be true that Eq. (82) is satisfied. (As mentioned when deriving Eq. (78), the definition of S K * is the same as

SQ* in Eq. (73) but applied to the normalized, subset batch equation). Therefore, referring back to Eq. (81), it has been established that:

rK |K  I  H K *S K * I 0δz ,Q Similar to Eq. (21) for the full batch, the residual component at the last epoch of the subset batch residual is given by:



rk|K  0 I n

k

r

K |K



 0 In

k

 I

nK



 H K *S K * I n

K



0 δz ,Q

(88)

where subscripts of the identity matrices I indicate their dimensions. Finally, Eq. (77) and (88) prove that the current-time estimate error δx q|Q and the past time KF residual vectors rk | K (at any time k, for k ranging from 1 to

q ) are derived from independent components of the full batch measurement error vector δzQ .

D. Proof of Theorem III: Mutual Independence between Current-Time and Past-Time Residuals The residual rk|K can be expressed in terms of the independent random vectors z k and xˆ k |K 1 :

rk|K  I  H k K k z k  H k I  K k H k xˆ k |K 1 Using the KF time-update equation ( xˆ k |K 1  Φ k 1xˆ k 1|K 1 ), rk|K can be rewritten as:

rk|K  I  H k K k z k  H k I  K k H k Φ k 1xˆ k 1|K 1

(89)

The next paragraph shows that at any time k, the KF residuals r1|1 to rk 1|K 1 are all independent of rk|K , by showing that they are independent of both z k and xˆ k 1|K 1 from which rk|K is derived in Eq. (89). First, the KF residual at any epoch k is computed using all previous measurements. Therefore, KF residuals r1|1 to rk 1|K 1 are all independent from z k (they are computed using z 1 to z k 1 only). Second, Theorem II is applied to

the subset batch that uses measurements z 1 to z k 1 (subscripts q and Q in Theorem II are replaced by k  1 and

K  1 ). Theorem II states that xˆ k 1|K 1 is independent from residuals r1|1 to rk 1|K 1 . Therefore, returning back to Eq. (89), the residual rk|K is independent of all previous KF residuals from r1|1 to rk 1|K 1 , and this is true at all times k , for k ranging between 1 and q . Therefore, it was shown that the random parts of current and past-time KF residual components rk|K are all mutually independent.

References [1]

Gertler, J. “A Survey of Model Based Failure Detection and Isolation in Complex Plants,” IEEE Control Systems Magazine, Vol. 8, No.6, 1988, pp. 3-11.

[2]

Y. Wang, Y., Hussein, I., Erwin, R., “Risk-Based Sensor Management for Integrated Detection and Estimation,” AIAA Journal of Guidance, Control, and Dynamics, Vol. 34, No. 6, 2011, pp. 1767-1778.

[3]

Velaga, N. R., Quddus, M. A., Bristow, A. L., and Zheng, Y., “Map-Aided Integrity Monitoring of a Land Vehicle Navigation System,” IEEE Transactions on Intelligent Transportation Systems, Vol. 13, No. 2, 2012, pp. 848-858.

[4]

RTCA Special Committee 159, “Minimum Operational Performance Standards for Global Positioning System/Wide Area Augmentation System Airborne Equipment,” RTCA/DO-229C, 2001, pp. 1-21.

[5]

RTCA Special Committee 159, “Minimum Aviation System Performance Standards for the Local Area Augmentation System (LAAS),” RTCA/DO-245, 2004, Appendix D.

[6]

Blanch, J., Ene, A., Walter, T., and Enge, P., “An Optimized Multiple Hypothesis RAIM Algorithm for Vertical Guidance,” Proceedings of the 20th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2007), Fort Worth, TX, 2007, pp. 2924-2933.

[7]

Lee, Y. C., “Analysis of Range and Position Comparison Methods as a Means to Provide GPS Integrity in the User Receiver,” Proceedings of the 42nd Annual Meeting of The Institute of Navigation, Seattle, WA, 1986, pp. 1-4.

[8]

Parkinson, B. W., and Axelrad, P., “Autonomous GPS Integrity Monitoring Using the Pseudorange Residual,” NAVIGATION: Journal of the Institute of Navigation, Vol. 35, No. 2, 1988, pp. 225-274.

[9]

Brown, R., “Receiver Autonomous Integrity Monitoring,” Global Positioning System: Theory and Applications Volume 2, Washington, DC: AIAA Progress in Aeronautics and Astronautics, Vol. 163, 1996, pp. 143-166.

[10] Willsky, A., “A survey of design methods for failure detection in dynamic systems,” Automatica, Vol. 12, 1976, pp. 601611.

[11] Dragalin, V.P., Tartakovsky, A.G., Veeravalli, V.V., “The interacting multiple model algorithm for systems with Markovian switching coefficients,” IEEE Transactions on Information Theory, Vol. 45 , No. 7, Nov 1999, , pp. 2448-2461. [12] Dragalin, V.P., Tartakovsky, A.G., Veeravalli, V.V., “Multihypothesis sequential probability ratio tests. II. Accurate asymptotic expansions for the expected sample size,” IEEE Transactions on Information Theory, Vol. 46, No. 4, Jul 2000, pp. 1366-1383. [13] Sobel, M., and Wald, A., “A Sequential Decision Procedure for Choosing One of Three Hypotheses Concerning the Unknown Mean of a Normal Distribution,” The Annals of Mathematical Statistics, Vol. 20, No. 4, 1949, pp. 502-522. [14] Page, E. S., “Continuous inspection schemes,” Biometrika, Vol. 41, 1954, pp. 100-115. [15] Lorden, G., “Procedures for reacting to a change in distribution,” The Annals of Mathematical Statistics, Vol. 42, No. 6, 1971, pp. 1897-1908. [16] Malladi, D. P., and Speyer, J. L., “A Generalized Shiryayev Sequential Probability Ratio Test for Change Detection and Isolation,” IEEE Transactions on Automatic Control, Vol. 44, No. 8, 1999, pp. 1522-1534. [17] D. Choukroun, and J. Speyer, “Mode Estimation via Conditionally Linear Filtering: Application to Gyro Failure Monitoring,” AIAA Journal of Guidance, Control, and Dynamics, Vol. 35, No. 2, 2012, pp. 632-644. [18] Brown, R. G., and Hwang, Y. C., “GPS failure detection by autonomous means within the cockpit,” Proceedings of the 42nd Annual Meeting of the Institute of Navigation, Seattle, WA, 1986, pp. 5-12. [19] White, N. A., Maybeck, P. S., and DeVilbiss, S. L, “Detection of Interference/Jamming and Spoofing in a DGPS-Aided Inertial System,” IEEE Transactions on Aerospace and Electronic Systems, Vol. 34, No. 4, Oct. 1998, pp. 1208-1217. [20] Chan, S., and Speyer, J. L., “A Sequential Probability Test for RAIM,” Proceedings of the 17th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2004), Long Beach, CA, 2004, pp. 1798-1802. [21] Blom, H.A.P., and Bar-Shalom, Y., “The Interacting Multiple Model Algorithm for Systems with Markovian Switching Coefficients,” IEEE Transactions on Automatic Control, Vol. 33 , No. 8, 1988, pp. 780-783. [22] Willsky, A., and Jones, H., “A generalized likelihood ratio approach to the detection and estimation of jumps in linear systems,” IEEE Transactions on Automatic Control, Vol. 21, No. 1, Feb. 1976, pp. 108 – 112. [23] Chow, E., and Willsky, A., “Analytical redundancy and the design of robust failure detection systems,” IEEE Transactions on Automatic Control, Vol. 29 , No. 7, 1984, pp. 603-614. [24] Sukkarieh, S., Nebot, E. M., and Durrant-Whyte, H.F., “A High Integrity IMU/GPS Navigation Loop for Autonomous Land Vehicle Applications,” IEEE Transactions on Robotics and Automation, Vol. 15, No. 3, Jun. 1999, pp. 572–578. [25] Abuhashim, T. S., Abdel-Hafez, M. F., and Al-Jarrah, M.-A., “Building a Robust Integrity Monitoring Algorithm for a Low Cost GPS-aided-INS System,” International Journal of Control, Automation, and Systems, Vol. 8, No. 5, 2010, pp. 1108-1122.

[26] Friséna, M., “Optimal Sequential Surveillance for Finance, Public Health, and Other Areas,” Sequential Analysis: Design Methods and Applications, Vol. 28, No. 3, 2009, pp. 310-337. [27] Lai, T. L., “Sequential Multiple Hypothesis Testing and Efficient Fault Detection-Isolation in Stochastic Systems,” IEEE Transactions on Information Theory, Vol. 46, No. 2, 2000, pp. 595-608. [28] Sullivan, E. J., and Candy, J. V., “Sequential Detection Estimation and Noise Cancellation,” Imaging for Detection and Identification, NATO Security through Science Series, 2007, pp 97-105. [29] Dionne, D., Oshman, Y., and Shinar, D., “Novel Adaptive Generalized Likelihood Ratio Detector with Application to Maneuvering Target Tracking,” AIAA Journal of Guidance, Control, and Dynamics, Vol. 29, No. 2, 2006, pp. 465-474. [30] Hewitson, S., and Wang, J., “Extended Receiver Autonomous Integrity Monitoring (eRAIM) for GNSS/INS Integration,” Journal of Surveying Engineering, Vol. 136, No. 1, Feb. 2010, pp. 13-22. [31] Diesel, J., and Luu, S., “GPS/IRS AIME: Calculation of Thresholds and Protection Radius Using Chi-Square Methods,” Proceedings of the 8th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GPS 1995), Palm Springs, CA, 1995, pp. 1959-1964. [32] Nikiforov, I., “New optimal approach to Global Positioning System/Differential Global Positioning System integrity monitoring,” AIAA Journal of Guidance, Control, and Dynamics, Vol.19, No.5, 1996, pp. 1023-1033. [33] Bakhache, B., “A Sequential RAIM Based on the Civil Aviation Requirements,’ Proceedings of the 12th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GPS 1999), Nashville, TN, 1999, pp. 12011210. [34] Clot, A., Macabiau, C., Nikiforov, I., and Roturier, B., “Sequential RAIM Designed to Detect Combined Step Ramp Pseudo-Range Error,” Proceedings of the 19th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GNSS 2006), Fort Worth, TX, 2006, pp. 2621-2633. [35] Brenner, M., “lntegrated GPS/lnertial Fault Detection Availability,” Proceedings of the 8th International Technical Meeting of the Satellite Division of The Institute of Navigation (ION GPS 1995), Palm Springs, CA, 1995, pp. 1949-1958. [36] Joerger, M., Gratton, L., Pervan, B., and Cohen, C. E., “Analysis of Iridium-Augmented GPS for Floating Carrier Phase Positioning,” NAVIGATION: Journal of the Institute of Navigation, Vol. 57, No. 2, Summer 2010, pp. 137-160. [37] Bryson, A. E., Applied Linear Optimal Control, Cambridge University Press, Cambridge, UK, 2002, pp. 310-312. [38] Sturza, M., “Navigation System Integrity Monitoring Using Redundant Measurements,” NAVIGATION: Journal of the Institute of Navigation, Vol. 35, No. 4, 1988, pp. 69-87. [39] Assistant Secretary of Defense for Command, Control, Communications and Intelligence, “Global Positioning System Standard

Positioning

Service

Performance

Standard,”

available

online

at

/geninfo/2001SPSPerformanceStandardFINAL.pdf, Washington, DC., 2001, Section A-5.

http://www.navcen.uscg.gov/GPS

[40] Pervan, B., “Navigation integrity for aircraft precision landing using the global positioning system,” Ph.D. Dissertation, Stanford University, Aeronautics and Astronautics Dept., Stanford, CA, 1996, Appendix C. [41] Crassidis, J., and J. Junkins, Optimal Estimation of Dynamic Systems, Boca Raton, FL: Chapman & Hall/CRC, 2004, Chapter 6. [42] Joerger, M., and Pervan, B., “Sequential Residual-Based RAIM,” Proceedings of the 23rd International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS 2010), Portland, OR, 2010, pp. 3167-3180. [43] Ropokis, G., Rontogiannis, A., and Mathiopoulos, P., “Quadratic forms in normal RVs: Theory and applications to OSTBC over Hoyt fading channels,” IEEE Transactions on Wireless Communications, Vol. 7, No. 12, 2008, pp.5009 - 5019. [44] Davies, R. B., “Algorithm AS 155: The Distribution of a Linear Combination of χ2 Random Variables,” Journal of the Royal Statistical Society, Series C (Applied Statistics), Vol. 29, No. 3, 1980, pp. 323-333. [45] Joerger, M., Neale, J., and Pervan, B., “Iridium/GPS Carrier Phase Positioning and Fault Detection Over Wide Areas,” Proceedings of the 22nd International Technical Meeting of The Satellite Division of the Institute of Navigation (ION GNSS 2009), Savannah, GA, 2009, pp. 1371-1385. [46] Angus, J. E., “RAIM with multiple faults,” NAVIGATION: Journal of the Institute of Navigation, Vol. 53, No. 4, 2007, pp.249-257. [47] Parkinson, B., and Enge P., “Differential GPS,” Global Positioning System: Theory and Applications Volume 2, Washington, DC: AIAA Progress in Aeronautics and Astronautics, Vol. 163, 1996, pp. 3-41. [48] McGraw, G., Murphy, T., Brenner, M., Pullen, S., and Van Dierendonck, A., “Development of the LAAS Accuracy Models,” Proceedings of the Institute of Navigation GPS Conference, Salt Lake City, UT, 2000, pp. 1212-1223. [49] Klobuchar, J. A., “Ionospheric Effects on GPS,” Global Positioning System: Theory and Applications Volume 1, Washington, DC: AIAA Progress in Aeronautics and Astronautics, Vol. 163, 1996, pp. 485-514. [50] Hwang, P., “Kinematic GPS for Differential Positioning: Resolving Integer Ambiguities on the Fly,” NAVIGATION: Journal of the Institute of Navigation, Vol. 38, No. 1, 1991, pp. 1-15.